Letsencrypt & TLSA - automation

John Allen john at klam.ca
Mon Feb 20 11:55:58 CET 2017

Is the process to update the serial number automatic? If so care to share.

On 2017-02-20 4:04 AM, Casper Gielen wrote:
> Op 19-02-17 om 19:20 schreef John Allen:
>> Attached is a bash script that I am developing to automate the
>> generation of TLSA records from Letsencrypt certificates.
>> the script is called from the certbot renew hook, it can also be run
>> stand alone - Certbot_TLSAgen path-to-certificate "space separated list
>> of domains included in cert"
>> It seems to work, but would some kind sole take a look and where I have
>> or are about to screw up.
>> Any suggestions as to how to get the output into my DNS (Bind9)
>> preferably without using nsupdate. I am not keen on nsupdate as it makes
>> a mess of the zone files, which I use as documentation for my DNS.
> It may not be the cleanest method, but I use the INCLUDE statement in my
> zones to include snippets of externally maintained information.
> The script I use outputs the required records and I just put it in the
> right file and trigger a procedure to update the serial number and
> reload Bind.

More information about the dane-users mailing list